FreeIPA installation fails on mac os

GitNRG commented 4 years ago

I'm trying to run freeIPA for development on my mac, but seems that I have problem. Instructions on main page doesn't work for me, so I've spent some time figuring out a few issues and ended up with the following command

docker run --name freeipa-server-container \
-ti \
-h ipa.example.test \
-e DEBUG_TRACE=1 \
-e DEBUG_NO_EXIT=1 \
--privileged \
--security-opt seccomp:unconfined \
--sysctl net.ipv6.conf.all.disable_ipv6=0 \
-e PASSWORD=Secret123 \
-v freeipaVolume:/data \
freeipa/freeipa-server

Seems that macOS fs doesn't play well with linux fs, so I've created freeipaVolume simply with docker volume create freeipaVolume

Installer asks a few questions, runs for a few mins and then fails. Below is what I have entered and error message

Do you want to configure integrated DNS (BIND)? [no]: no

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.

Server host name [ipa.example.test]: 

The domain name has been determined based on the host name.

Please confirm the domain name [example.test]: 

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [EXAMPLE.TEST]: 
Do you want to configure chrony with NTP server or pool address? [no]: 

The IPA Master Server will be configured with:
Hostname:       ipa.example.test
IP address(es): 172.17.0.2
Domain name:    example.test
Realm name:     EXAMPLE.TEST

The CA will be configured with:
Subject DN:   CN=Certificate Authority,O=EXAMPLE.TEST
Subject base: O=EXAMPLE.TEST
Chaining:     self-signed

Continue to configure the system with these values? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Disabled p11-kit-proxy
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/44]: creating directory server instance
  [2/44]: configure autobind for root
  [3/44]: stopping directory server
  [4/44]: updating configuration in dse.ldif
  [5/44]: starting directory server
  [6/44]: adding default schema
  [7/44]: enabling memberof plugin
  [8/44]: enabling winsync plugin
  [9/44]: configure password logging
  [10/44]: configuring replication version plugin
  [11/44]: enabling IPA enrollment plugin
  [12/44]: configuring uniqueness plugin
  [13/44]: configuring uuid plugin
  [14/44]: configuring modrdn plugin
  [15/44]: configuring DNS plugin
  [16/44]: enabling entryUSN plugin
  [17/44]: configuring lockout plugin
  [18/44]: configuring topology plugin
  [19/44]: creating indices
  [20/44]: enabling referential integrity plugin
  [21/44]: configuring certmap.conf
  [22/44]: configure new location for managed entries
  [23/44]: configure dirsrv ccache and keytab
  [24/44]: enabling SASL mapping fallback
  [25/44]: restarting directory server
  [26/44]: adding sasl mappings to the directory
  [27/44]: adding default layout
  [28/44]: adding delegation layout
  [29/44]: creating container for managed entries
  [30/44]: configuring user private groups
  [31/44]: configuring netgroups from hostgroups
  [32/44]: creating default Sudo bind user
  [33/44]: creating default Auto Member layout
  [34/44]: adding range check plugin
  [35/44]: creating default HBAC rule allow_all
  [36/44]: adding entries for topology management
  [37/44]: initializing group membership
  [38/44]: adding master entry
  [39/44]: initializing domain level
  [40/44]: configuring Posix uid/gid generation
  [41/44]: adding replication acis
  [42/44]: activating sidgen plugin
  [43/44]: activating extdom plugin
  [44/44]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
  [1/10]: adding kerberos container to the directory
  [2/10]: configuring KDC
  [3/10]: initialize kerberos container
  [4/10]: adding default ACIs
  [5/10]: creating a keytab for the directory
  [6/10]: creating a keytab for the machine
  [7/10]: adding the password extension to the directory
  [8/10]: creating anonymous principal
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa-custodia
  [1/5]: Making sure custodia container exists
  [2/5]: Generating ipa-custodia config file
  [3/5]: Generating ipa-custodia keys
  [4/5]: starting ipa-custodia 
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/29]: configuring certificate server instance
  [2/29]: Add ipa-pki-wait-running
  [3/29]: reindex attributes
  [4/29]: exporting Dogtag certificate store pin
  [5/29]: stopping certificate server instance to update CS.cfg
  [6/29]: backing up CS.cfg
  [7/29]: disabling nonces
  [8/29]: set up CRL publishing
  [9/29]: enable PKIX certificate path discovery and validation
  [10/29]: starting certificate server instance
  [11/29]: configure certmonger for renewals
  [12/29]: requesting RA certificate from CA
  [13/29]: setting audit signing renewal to 2 years
  [14/29]: restarting certificate server
  [15/29]: publishing the CA certificate
  [16/29]: adding RA agent as a trusted user
  [17/29]: authorizing RA to modify profiles
  [18/29]: authorizing RA to manage lightweight CAs
  [19/29]: Ensure lightweight CAs container exists
  [20/29]: configure certificate renewals
  [21/29]: Configure HTTP to proxy connections
  [22/29]: restarting certificate server
  [23/29]: updating IPA configuration
  [24/29]: enabling CA instance
  [25/29]: migrating certificate profiles to LDAP
  [26/29]: importing IPA certificate profiles
  [27/29]: adding default CA ACL
  [28/29]: adding 'ipa' CA entry
  [29/29]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv)
  [1/3]: configuring TLS for DS instance
  [2/3]: adding CA certificate entry
  [3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring ipa-otpd
  [1/2]: starting ipa-otpd 
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd)
  [1/21]: stopping httpd
  [2/21]: backing up ssl.conf
  [3/21]: disabling nss.conf
  [4/21]: configuring mod_ssl certificate paths
  [5/21]: setting mod_ssl protocol list
  [6/21]: configuring mod_ssl log directory
  [7/21]: disabling mod_ssl OCSP
  [8/21]: adding URL rewriting rules
  [9/21]: configuring httpd
Nothing to do for configure_httpd_wsgi_conf
  [10/21]: setting up httpd keytab
  [11/21]: configuring Gssproxy
  [12/21]: setting up ssl
  [13/21]: configure certmonger for renewals
  [14/21]: publish CA cert
  [15/21]: clean up any existing httpd ccaches
  [16/21]: configuring SELinux for httpd
  [17/21]: create KDC proxy config
  [18/21]: enable KDC proxy
  [19/21]: starting httpd
  [20/21]: configuring httpd to start on boot
  [21/21]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/10]: stopping directory server
  [2/10]: saving configuration
  [3/10]: disabling listeners
  [4/10]: enabling DS global lock
  [5/10]: disabling Schema Compat
  [6/10]: starting directory server
  [7/10]: upgrading server
  [8/10]: stopping directory server
  [9/10]: restoring configuration
  [10/10]: starting directory server
Done.
Restarting the KDC
Configuring client side components
This program will set up FreeIPA client.
Version 4.8.4

Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: ipa.example.test
Realm: EXAMPLE.TEST
DNS Domain: example.test
IPA Server: ipa.example.test
BaseDN: dc=example,dc=test

Configured sudoers in /data/etc/authselect/user-nsswitch.conf
Configured /etc/sssd/sssd.conf
No valid Negotiate header in server response
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
Configuration of client side components failed!
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
+ ret=123
+ echo 'FreeIPA server configuration failed.'
FreeIPA server configuration failed.
+ exit 123
+ mark_exit_code
+ exit_code=123
+ echo 123
+ exit 123

In var/log/ipaserver-install.log I have the following message

2020-02-20T07:59:32Z DEBUG Configuring client side components
2020-02-20T07:59:32Z DEBUG Starting external process
2020-02-20T07:59:32Z DEBUG args=['/usr/sbin/ipa-client-install', '--on-master', '--unattended', '--domain', 'example.test', '--server', 'ipa.example.test', '--realm', 'EXAMPLE.TEST', '--hostname', 'ipa.example.test', '--no-ntp']
2020-02-20T07:59:33Z DEBUG Process finished, return code=1
2020-02-20T07:59:33Z DEBUG   File "/usr/lib/python3.7/site-packages/ipapython/admintool.py", line 179, in execute
    return_value = self.run()
  File "/usr/lib/python3.7/site-packages/ipapython/install/cli.py", line 340, in run
    return cfgr.run()
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 360, in run
    return self.execute()
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 386, in execute
    for rval in self._executor():
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 431, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 421, in __runner
    step()
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 418, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python3.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 655, in _configure
    next(executor)
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 431, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 515, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 421, in __runner
    step()
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 418, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python3.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python3.7/site-packages/ipapython/install/common.py", line 65, in _install
    for unused in self._installer(self.parent):
  File "/usr/lib/python3.7/site-packages/ipaserver/install/server/__init__.py", line 564, in main
    master_install(self)
  File "/usr/lib/python3.7/site-packages/ipaserver/install/server/install.py", line 276, in decorated
    func(installer)
  File "/usr/lib/python3.7/site-packages/ipaserver/install/server/install.py", line 981, in install
    raise ScriptError("Configuration of client side components failed!")

2020-02-20T07:59:33Z DEBUG The ipa-server-install command failed, exception: ScriptError: Configuration of client side components failed!
2020-02-20T07:59:33Z ERROR Configuration of client side components failed!
2020-02-20T07:59:33Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

At this point I've spent most of the time and seems that I stuck, so I'm asking for help.

My environment: OS: macOs Catalina 10.15.3 Docker: 19.03.5, build 633a0ea FreeIPA OS: Fedora 31

I would be grateful for any ideas how to solve this issue.

Thanks!

adelton commented 4 years ago

Please check the var/log/ipaclient-install.log in the container for the error messages of that failed ipa-client-install.

GitNRG commented 4 years ago

Content of var/log/ipaclient-install.log

[root@ipa /]# cat var/log/ipaclient-install.log
2020-02-24T18:26:08Z DEBUG Logging to /var/log/ipaclient-install.log
2020-02-24T18:26:08Z DEBUG ipa-client-install was invoked with arguments [] and options: {'unattended': True, 'principal': None, 'prompt_password': False, 'on_master': True, 'ca_cert_files': None, 'force': False, 'configure_firefox': False, 'firefox_dir': None, 'keytab': None, 'mkhomedir': False, 'force_join': False, 'ntp_servers': None, 'ntp_pool': None, 'no_ntp': True, 'force_ntpd': False, 'nisdomain': None, 'no_nisdomain': False, 'ssh_trust_dns': False, 'no_ssh': False, 'no_sshd': False, 'no_sudo': False, 'no_dns_sshfp': False, 'kinit_attempts': None, 'request_cert': False, 'ip_addresses': None, 'all_ip_addresses': False, 'fixed_primary': False, 'permit': False, 'enable_dns_updates': False, 'no_krb5_offline_passwords': False, 'preserve_sssd': False, 'automount_location': None, 'domain_name': 'example.test', 'servers': ['ipa.example.test'], 'realm_name': 'EXAMPLE.TEST', 'host_name': 'ipa.example.test', 'verbose': False, 'quiet': False, 'log_file': None, 'uninstall': False}
2020-02-24T18:26:08Z DEBUG IPA version 4.8.4-2.fc31
2020-02-24T18:26:08Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2020-02-24T18:26:08Z DEBUG Starting external process
2020-02-24T18:26:08Z DEBUG args=['/usr/sbin/selinuxenabled']
2020-02-24T18:26:08Z DEBUG Process finished, return code=1
2020-02-24T18:26:08Z DEBUG stdout=
2020-02-24T18:26:08Z DEBUG stderr=
2020-02-24T18:26:08Z WARNING Using existing certificate '/etc/ipa/ca.crt'.
2020-02-24T18:26:08Z DEBUG [IPA Discovery]
2020-02-24T18:26:08Z DEBUG Starting IPA discovery with domain=example.test, servers=['ipa.example.test'], hostname=ipa.example.test
2020-02-24T18:26:08Z DEBUG Server and domain forced
2020-02-24T18:26:08Z DEBUG [Kerberos realm search]
2020-02-24T18:26:08Z DEBUG Kerberos realm forced
2020-02-24T18:26:08Z DEBUG [LDAP server check]
2020-02-24T18:26:08Z DEBUG Verifying that ipa.example.test (realm EXAMPLE.TEST) is an IPA server
2020-02-24T18:26:08Z DEBUG Init LDAP connection to: ldap://ipa.example.test:389
2020-02-24T18:26:08Z DEBUG Search LDAP server for IPA base DN
2020-02-24T18:26:08Z DEBUG Check if naming context 'dc=example,dc=test' is for IPA
2020-02-24T18:26:08Z DEBUG Naming context 'dc=example,dc=test' is a valid IPA context
2020-02-24T18:26:08Z DEBUG Search for (objectClass=krbRealmContainer) in dc=example,dc=test (sub)
2020-02-24T18:26:08Z DEBUG Found: cn=EXAMPLE.TEST,cn=kerberos,dc=example,dc=test
2020-02-24T18:26:08Z DEBUG Discovery result: Success; server=ipa.example.test, domain=example.test, kdc=ipa.example.test, basedn=dc=example,dc=test
2020-02-24T18:26:08Z DEBUG Validated servers: ipa.example.test
2020-02-24T18:26:08Z DEBUG will use discovered domain: example.test
2020-02-24T18:26:08Z DEBUG Using servers from command line, disabling DNS discovery
2020-02-24T18:26:08Z DEBUG will use provided server: ipa.example.test
2020-02-24T18:26:08Z DEBUG will use discovered realm: EXAMPLE.TEST
2020-02-24T18:26:08Z DEBUG will use discovered basedn: dc=example,dc=test
2020-02-24T18:26:08Z INFO Client hostname: ipa.example.test
2020-02-24T18:26:08Z DEBUG Hostname source: Provided as option
2020-02-24T18:26:08Z INFO Realm: EXAMPLE.TEST
2020-02-24T18:26:08Z DEBUG Realm source: Discovered from LDAP DNS records in ipa.example.test
2020-02-24T18:26:08Z INFO DNS Domain: example.test
2020-02-24T18:26:08Z DEBUG DNS Domain source: Forced
2020-02-24T18:26:08Z INFO IPA Server: ipa.example.test
2020-02-24T18:26:08Z DEBUG IPA Server source: Provided as option
2020-02-24T18:26:08Z INFO BaseDN: dc=example,dc=test
2020-02-24T18:26:08Z DEBUG BaseDN source: From IPA server ldap://ipa.example.test:389
2020-02-24T18:26:08Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2020-02-24T18:26:08Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2020-02-24T18:26:08Z DEBUG Skipping attempt to configure and synchronize time with chrony server as it has been already done on master.
2020-02-24T18:26:08Z DEBUG Backing up system configuration file '/etc/sssd/sssd.conf'
2020-02-24T18:26:08Z DEBUG   -> Not backing up - '/etc/sssd/sssd.conf' doesn't exist
2020-02-24T18:26:08Z DEBUG New SSSD config will be created
2020-02-24T18:26:08Z DEBUG Backing up system configuration file '/data/etc/authselect/user-nsswitch.conf'
2020-02-24T18:26:08Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
2020-02-24T18:26:08Z DEBUG Updating configuration file /data/etc/authselect/user-nsswitch.conf
2020-02-24T18:26:08Z DEBUG 
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
#   nisplus         Use NIS+ (NIS version 3)
#   nis         Use NIS (NIS version 2), also called YP
#   dns         Use DNS (Domain Name Service)
#   files           Use the local files in /etc
#   db          Use the pre-processed /var/db files
#   compat          Use /etc files plus *_compat pseudo-databases
#   hesiod          Use Hesiod (DNS) for user lookups
#   sss         Use sssd (System Security Services Daemon)
#   [NOTFOUND=return]   Stop searching if not found so far
#
# 'sssd' performs its own 'files'-based caching, so it should
# generally come before 'files'.
#
# WARNING: Running nscd with a secondary caching service like sssd may lead to
#      unexpected behaviour, especially with how long entries are cached.

# To use 'db', install the nss_db package, and put the 'db' in front
# of 'files' for entries you want to be looked up first in the
# databases, like this:
#
# passwd:    db files
# shadow:    db files
# group:     db files

passwd:      sss files systemd
shadow:     files sss
group:       sss files systemd

hosts:      files dns myhostname

bootparams: files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   sss

publickey:  files

automount:  files sss
aliases:    files
sudoers: files sss

2020-02-24T18:26:08Z INFO Configured sudoers in /data/etc/authselect/user-nsswitch.conf
2020-02-24T18:26:08Z INFO Configured /etc/sssd/sssd.conf
2020-02-24T18:26:08Z DEBUG Initializing principal host/ipa.example.test@EXAMPLE.TEST using keytab /data/etc/krb5.keytab
2020-02-24T18:26:08Z DEBUG using ccache /etc/ipa/.dns_ccache
2020-02-24T18:26:08Z DEBUG Attempt 1/5: success
2020-02-24T18:26:08Z DEBUG Starting external process
2020-02-24T18:26:08Z DEBUG args=['/usr/bin/certutil', '-d', '/tmp/tmp5vna31lj', '-N', '-f', '/tmp/tmp5vna31lj/pwdfile.txt', '-@', '/tmp/tmp5vna31lj/pwdfile.txt']
2020-02-24T18:26:08Z DEBUG Process finished, return code=0
2020-02-24T18:26:08Z DEBUG stdout=
2020-02-24T18:26:08Z DEBUG stderr=
2020-02-24T18:26:08Z DEBUG Starting external process
2020-02-24T18:26:08Z DEBUG args=['/usr/sbin/selinuxenabled']
2020-02-24T18:26:08Z DEBUG Process finished, return code=1
2020-02-24T18:26:08Z DEBUG stdout=
2020-02-24T18:26:08Z DEBUG stderr=
2020-02-24T18:26:08Z DEBUG Starting external process
2020-02-24T18:26:08Z DEBUG args=['/usr/sbin/selinuxenabled']
2020-02-24T18:26:08Z DEBUG Process finished, return code=1
2020-02-24T18:26:08Z DEBUG stdout=
2020-02-24T18:26:08Z DEBUG stderr=
2020-02-24T18:26:08Z DEBUG Starting external process
2020-02-24T18:26:08Z DEBUG args=['/usr/sbin/selinuxenabled']
2020-02-24T18:26:08Z DEBUG Process finished, return code=1
2020-02-24T18:26:08Z DEBUG stdout=
2020-02-24T18:26:08Z DEBUG stderr=
2020-02-24T18:26:08Z DEBUG Starting external process
2020-02-24T18:26:08Z DEBUG args=['/usr/sbin/selinuxenabled']
2020-02-24T18:26:08Z DEBUG Process finished, return code=1
2020-02-24T18:26:08Z DEBUG stdout=
2020-02-24T18:26:08Z DEBUG stderr=
2020-02-24T18:26:08Z DEBUG Starting external process
2020-02-24T18:26:08Z DEBUG args=['/usr/sbin/selinuxenabled']
2020-02-24T18:26:08Z DEBUG Process finished, return code=1
2020-02-24T18:26:08Z DEBUG stdout=
2020-02-24T18:26:08Z DEBUG stderr=
2020-02-24T18:26:08Z DEBUG Starting external process
2020-02-24T18:26:08Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmp5vna31lj', '-A', '-n', 'CA certificate 1', '-t', 'C,,', '-a', '-f', '/tmp/tmp5vna31lj/pwdfile.txt']
2020-02-24T18:26:09Z DEBUG Process finished, return code=0
2020-02-24T18:26:09Z DEBUG stdout=
2020-02-24T18:26:09Z DEBUG stderr=
2020-02-24T18:26:09Z DEBUG failed to find session_cookie in persistent storage for principal 'host/ipa.example.test@EXAMPLE.TEST'
2020-02-24T18:26:09Z DEBUG trying https://ipa.example.test/ipa/json
2020-02-24T18:26:09Z DEBUG Created connection context.rpcclient_140104877528080
2020-02-24T18:26:09Z DEBUG [try 1]: Forwarding 'schema' to json server 'https://ipa.example.test/ipa/json'
2020-02-24T18:26:09Z DEBUG New HTTP connection (ipa.example.test)
2020-02-24T18:26:09Z DEBUG HTTP connection destroyed (ipa.example.test)
Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/ipaclient/remote_plugins/__init__.py", line 126, in get_package
    plugins = api._remote_plugins
AttributeError: 'API' object has no attribute '_remote_plugins'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 724, in single_request
    if not self._auth_complete(response):
  File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 677, in _auth_complete
    message=u"No valid Negotiate header in server response")
ipalib.errors.KerberosError: No valid Negotiate header in server response
2020-02-24T18:26:09Z DEBUG Destroyed connection context.rpcclient_140104877528080
2020-02-24T18:26:09Z DEBUG   File "/usr/lib/python3.7/site-packages/ipapython/admintool.py", line 179, in execute
    return_value = self.run()
  File "/usr/lib/python3.7/site-packages/ipapython/install/cli.py", line 340, in run
    return cfgr.run()
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 360, in run
    return self.execute()
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 386, in execute
    for rval in self._executor():
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 431, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 421, in __runner
    step()
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 418, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python3.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 655, in _configure
    next(executor)
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 431, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 515, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 421, in __runner
    step()
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 418, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python3.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python3.7/site-packages/ipapython/install/common.py", line 65, in _install
    for unused in self._installer(self.parent):
  File "/usr/lib/python3.7/site-packages/ipaclient/install/client.py", line 3818, in main
    install(self)
  File "/usr/lib/python3.7/site-packages/ipaclient/install/client.py", line 2531, in install
    _install(options)
  File "/usr/lib/python3.7/site-packages/ipaclient/install/client.py", line 2843, in _install
    api.finalize()
  File "/usr/lib/python3.7/site-packages/ipalib/plugable.py", line 743, in finalize
    self.__do_if_not_done('load_plugins')
  File "/usr/lib/python3.7/site-packages/ipalib/plugable.py", line 430, in __do_if_not_done
    getattr(self, name)()
  File "/usr/lib/python3.7/site-packages/ipalib/plugable.py", line 622, in load_plugins
    for package in self.packages:
  File "/usr/lib/python3.7/site-packages/ipalib/__init__.py", line 954, in packages
    ipaclient.remote_plugins.get_package(self),
  File "/usr/lib/python3.7/site-packages/ipaclient/remote_plugins/__init__.py", line 134, in get_package
    plugins = schema.get_package(server_info, client)
  File "/usr/lib/python3.7/site-packages/ipaclient/remote_plugins/schema.py", line 553, in get_package
    schema = Schema(client)
  File "/usr/lib/python3.7/site-packages/ipaclient/remote_plugins/schema.py", line 402, in __init__
    fingerprint, ttl = self._fetch(client, ignore_cache=read_failed)
  File "/usr/lib/python3.7/site-packages/ipaclient/remote_plugins/schema.py", line 427, in _fetch
    schema = client.forward(u'schema', **kwargs)['result']
  File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 1149, in forward
    return self._call_command(command, params)
  File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 1125, in _call_command
    return command(*params)
  File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 1279, in _call
    return self.__request(name, args)
  File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 1246, in __request
    verbose=self.__verbose >= 3,
  File "/usr/lib64/python3.7/xmlrpc/client.py", line 1154, in request
    return self.single_request(host, handler, request_body, verbose)
  File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 724, in single_request
    if not self._auth_complete(response):
  File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 677, in _auth_complete
    message=u"No valid Negotiate header in server response")

2020-02-24T18:26:09Z DEBUG The ipa-client-install command failed, exception: KerberosError: No valid Negotiate header in server response
2020-02-24T18:26:09Z ERROR No valid Negotiate header in server response
2020-02-24T18:26:09Z ERROR The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

adelton commented 4 years ago

Please check https://github.com/freeipa/freeipa-container/issues/274 where the similar issue was reported. There were multiple things going on there but my interpretation is that you likely want to

remove the --privileged option;
potentially also remove the --security-opt seccomp:unconfined option;
also test tests/run-partial-tests.sh Dockerfile.fedora-31 to see if it passes.

GitNRG commented 4 years ago

Well, that sad part is that I've already seen #274 and in fact that's where I found --privileged and --security-opt seccomp:unconfined options. Following your advice I've tried to remove these options one by one and both at the same time.

Without --privileged or without --privileged and --security-opt seccomp:unconfined container start fails in a few seconds with

systemd v243.6-1.fc31 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=unified)
Detected virtualization container-other.
Detected architecture x86-64.
Failed to create symlink /sys/fs/cgroup/cpuacct: File exists
Failed to create symlink /sys/fs/cgroup/cpu: File exists
Failed to create symlink /sys/fs/cgroup/net_cls: File exists
Failed to create symlink /sys/fs/cgroup/net_prio: File exists
Set hostname to <ipa.example.test>.
Initializing machine ID from random generator.
Failed to create /docker/41a2a75ff1a98115cc94d4f7fe6fb6a563c00475ac99b5850e2be32454f79d1d/init.scope control group: Read-only file system
Failed to allocate manager object: Read-only file system
[!!!!!!] Failed to allocate manager object.
Exiting PID 1...

Without --security-opt seccomp:unconfined the result doesn't change. Probably it's redundant option, but removing it doesn't fix the issue

Regarding tests/run-partial-tests.sh Dockerfile.fedora-31 MacOS is shipped with BSD version of sed that prevented me from running ./tests/run-partial-tests.sh Dockerfile.fedora-31right away and I had to make a few ammends 1) Add -i '' to sed 2) Add ; after p sed command 3) Remote T from sed command

These lines were updated in run-partial-tests.sh

SED_TO_NEXT_TEST='1,/^# test:/{s/^# \(debug\|test-add\):\s*//;p;}'
...
sed -i '' -n "$SED_TO_NEXT_TEST" "$DOCKERFILE" >> "$DOCKERFILE.part"
...
sed -i '' -n "1,${START}{s/^/## /;p;d};$SED_TO_NEXT_TEST" "$DOCKERFILE" >> "$DOCKERFILE.part"
...
TEST_SCRIPT=$( sed -i '' -n '$s/^# test:\s*//;s/\( \|$\)/ 'freeipa-server-container-$SUFFIX' /;p;' "$DOCKERFILE.part" )

After this I get

./tests/run-partial-tests.sh Dockerfile.fedora-31
OK ./tests/run-partial-tests.sh.

Forgot to mention that before creating this issue I've also tried centos-7 and centos-8 image, but they were unsuccessful as well

adelton commented 4 years ago

If the run-partial-tests.sh passed, you managed to run a container. Rerun it as bash -x to see the exact docker run commands that are executed, and then adapt to your needs.

adelton commented 4 years ago

We seem to have lost traction here.

lastcoolnameleft commented 4 years ago

@adelton I'm having the exact same issue. Thanks to @GitNRG for the detailed notes so I could re-run the tests myself.


# ./tests/run-partial-tests.sh Dockerfile.fedora-31

+ set -e
++ dirname ./tests/run-partial-tests.sh
+ DIR=./tests
+ DOCKERFILE=Dockerfile.fedora-31
+ '[' -z Dockerfile.fedora-31 ']'
+ export docker=docker
+ docker=docker
+ SUFFIX=fedora-31
++ wc -l
+ END='      29'
+ START=1
+ '[' 1 -lt '      29' ']'
+ SED_TO_NEXT_TEST='1,/^# test:/{s/^# \(debug\|test-add\):\s*//;p;}'
+ '[' 1 = 1 ']'
+ echo '# This line is commented out to match line count'
+ sed -i '' -n '1,/^# test:/{s/^# \(debug\|test-add\):\s*//;p;}' Dockerfile.fedora-31
++ sed -i '' -n '$s/^# test:\s*//;s/\( \|$\)/ freeipa-server-container-fedora-31 /;p;' Dockerfile.fedora-31.part
+ TEST_SCRIPT=
+ '[' -n '' ']'
+ break
+ echo OK ./tests/run-partial-tests.sh.
OK ./tests/run-partial-tests.sh.                                                                                                                                                                                                                                                                                                                           ```

freeipa / freeipa-container

FreeIPA installation fails on mac os #309